forked from gitea/gitea
1
0
Fork 0

Correctly escape within tribute.js (#20831) (#20832)

Backport #20831

When writing html in tribute.js ensure that strings are properly escaped.

Signed-off-by: Andrew Thornton <art27@cantab.net>
This commit is contained in:
zeripath 2022-08-17 21:09:28 +01:00 committed by GitHub
parent 79fa1c15a4
commit 13b74accda
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 4 deletions

View File

@ -1,5 +1,6 @@
import {emojiKeys, emojiHTML, emojiString} from './emoji.js';
import {uniq} from '../utils.js';
import {htmlEscape} from 'escape-goat';
function makeCollections({mentions, emoji}) {
const collections = [];
@ -24,7 +25,7 @@ function makeCollections({mentions, emoji}) {
return emojiString(item.original);
},
menuItemTemplate: (item) => {
return `<div class="tribute-item">${emojiHTML(item.original)}<span>${item.original}</span></div>`;
return `<div class="tribute-item">${emojiHTML(item.original)}<span>${htmlEscape(item.original)}</span></div>`;
}
});
}
@ -36,9 +37,9 @@ function makeCollections({mentions, emoji}) {
menuItemTemplate: (item) => {
return `
<div class="tribute-item">
<img src="${item.original.avatar}"/>
<span class="name">${item.original.name}</span>
${item.original.fullname && item.original.fullname !== '' ? `<span class="fullname">${item.original.fullname}</span>` : ''}
<img src="${htmlEscape(item.original.avatar)}"/>
<span class="name">${htmlEscape(item.original.name)}</span>
${item.original.fullname && item.original.fullname !== '' ? `<span class="fullname">${htmlEscape(item.original.fullname)}</span>` : ''}
</div>
`;
}